[332] in athena10

home help back first fref pref prev next nref lref last post

Re: Caching DNS for Athena 10

daemon@ATHENA.MIT.EDU (Kevin Chen)
Mon Jul 28 16:44:09 2008

Date: Mon, 28 Jul 2008 16:43:23 -0400 (EDT)
From: Kevin Chen <kchen@MIT.EDU>
To: ghudson@mit.edu
cc: athena10@mit.edu
In-Reply-To: <200807281952.m6SJq5Ms008332@outgoing.mit.edu>
Message-ID: <alpine.DEB.1.10.0807281629200.6462@vinegar-pot.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Mon, 28 Jul 2008, ghudson@MIT.EDU wrote:

>  3. (Optional) Configure the caching resolver to listen only to 127.0.0.1
>  4. (Optional) Configure the caching named to forward to MIT name servers

> (3) is a simple configuration tweak to either package; the question is
> whether we want to do it.  If the cache is accessible from the
> outside, it is perhaps easier to compromise since you can force the
> cache to perform a DNS query on demand; on the other hand, that's
> often not difficult to do through other means.  Having the cache
> accessible from the outside does make it easier to scan for
> vulnerability.

It also protects you in case any vulnerabilities in BIND happen to 
surface.  If the only reason for listening externally is to scan for 
vulnerabilities, you should have that information already by getting the 
list of packages on the machine with athinfo, assuming that still exists 
in Athena 10.  Doing whatever DNS queries you want is also much easier 
than getting a user to load a web page or something pointing to the 
desired name.

Open recursion also allows random attackers to use your system to perform 
denial of service attacks from the system.

Googling finds these documents, which might be useful:
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-reflectors-are-evil-05.txt
http://www.afnic.fr/actu/nouvelles/general/NN20060404_en
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf

> (4) is an easy configuration tweak to dnsmasq, and a slightly harder
> one to bind9.

What's the benefit of doing so?

--
Kevin Chen
http://www.sneswhiz.com/

home help back first fref pref prev next nref lref last post